1. Field of the Invention
The present invention relates to a technology for the security of electronic equipment, and in particular relates to the security monitoring apparatus, security monitoring method and program storage medium for the security of electronic equipment for realizing the maintenance and management of security of complicated electronic equipment without burdening on a user.
2. Description of the Related Art
Conventionally, in order to maintain and manage security for access management, etc., of electronic equipment, such as a computer, etc., security monitoring systems, such as a user management system using a user ID and a password, data leak prevention systems using cryptography, access control systems, authentication systems, etc., have been developed.
In such a security monitoring system, management information about a user, etc., which is set in advance (a user ID, a password, etc.) and management information which is required for the user to operate an apparatus are chiefly collated, and if they match as specified or they are judged as being within an allowed scope, the requirement of the user is executed. Namely, conventional security management is based on the authentication of a user.
However, in such a security management system based on authentication, such as a user ID, password, access restriction, etc., of a user, the management of an access log, such as one performing a check of the access log by a legal user or manager and a verification of whether the access has been made by the legal user, the manager or another legal user, etc., is always required in order to check whether there is an illegal access. Such a system has a fundamental weak point that, a simple user ID and password are easy to be acquired illegally. It also has a problem in that a user has to check the access log every time, which is very troublesome. Since the log management more or less relies on an operator, it takes time to verify the legality of an access, and as a result, it also takes time to detect the illegality of an access.
If some user authentication information leaks, it takes a great deal of labor and time to verify whether there is an illegal access, and discovery of the illegale access is greatly delayed, which is another problem.
For the above-described reasons, the conventional security management system based on the authentication of a user has no basic security control over the leakage of authentication information, or it takes a great deal of labor to maintain and manage security in the conventional security management system.
Since a semi-automatic access, which is an access made through a network and in which basically there is no user control, as in a mail reception protocol of a mail server, etc., is virtually automatically made with a certain kind of special execution priority usually by using a specific user name, sufficient attention has to be paid to security. However, an illegal user, virus, etc., often gains access by taking advantage of such a weak point in the security system, and the security monitoring based on the authentication of a user is basically powerless against such an access.
However, although a security system using cryptography has a merit in that major information cannot be decoded even when data are transmitted through a network or when a user gains illegal access to the data, it is powerless against an illegal log-in and an illegal access.
The object of the present invention is to provide a security monitoring system which does not maintain nor manage security based on the authentication of a user, but performs more powerful maintenance and management of security even if the authentication information of a user leaks, by monitoring the access situation from a user or through a network, detecting an abnormal access and issuing an alarm.
The present invention comprises a mechanism for monitoring access to electronic equipment to be monitored from the outside and issuing an alarm by referring to the access log (security management information) concerning past access situations if a new access is judged to be abnormal from the access log in the past.
According to the present invention an access situation at the time of access, such as an access environment, access time, etc., is acquired in electronic equipment with an access means from the outside, is accumulated there, and an alarm is issued to a manager or user if the access situation meets a predetermined criterion. The typical access method for electronic equipment includes, for example, an inputting means, such as a network, a keyboard, a mouse, etc. The typical type of accessing electronic equipment includes, for example, log-in to the equipment, file access, an execution command to operate the equipment, access through a network, etc.
A means for setting criteria for access situations according to a frequency of access and a type of access (write, read, execute, etc.) can also be provided.
For example, the mechanism can be configured in such a way that alarms are issued a certain number of times or for a certain time period after the first access and may not be issued if the same access is repeated a certain number of times, according to security management information which is obtained from an access log in the past.
Furthermore, a mechanism for setting how an access can be prohibited from being accepted or allowed to be accepted after issuing an alarm as a result of security monitoring if access is received from a certain user, can be added. Alternatively, in equipment with a security management mechanism using a password, a mechanism for allowing access to be accepted if another password is requested after an alarm is issued based on the security management information and the inputted password is judged to be legal when an access from a certain user is received, can be provided.
Alternatively, the time zones of security management information can be statistically processed by using a normal distribution, etc., of the access time of a user, and the scope for issuing an alarm can be determined using the variance of the access time as a base.
Alternatively, a mechanism for utilizing a plurality of setting files relating to security management information and access restriction information, modifying a setting file to be used according to the access situation of a user, such as elapsed time, the frequency of accesses, etc., and modifying and managing a security level, can be provided in order to manage the security level. Thus, for example, when a new user is registered, etc., a security check different from that for a legal user can be applied to the new user by utilizing an access situation which is initially set.
A program causing a computer to execute each of the above-described processes can be stored in an appropriate computer-readable storage medium, such as a portable medium memory, a semiconductor memory, a hard disk, etc.